The report does a good job of bringing a great deal of Chinese-language and open-source information together, and is especially useful in laying out how information security research is funded in and conducted by military and civilian universities. Much of the discussion, however, about how China thinks about computer network operations, the growing links between defense and civilian industries, and the threats to the supply chain has been done before (James Mulvenon is particularly good on Chinese thinking about seizing the information advantage and the “digital triangle“; Tai Ming Cheung’s Fortifying Chinais an exhaustive study of China’s efforts to build a dual-use industrial base; and CFR held a workshop on some of the vulnerabilities that stem from sourcing hardware and software from all over the world in January 2011).

The specific findings of the report are useful and important, but we should remind ourselves of four things. First, it is easy to forget that much in the report is about aspirations, what the PLA hopes to accomplish, and that we are less certain about how capable it truly is. The report does not shy away from this point, quoting senior PLA officials who provide “blunt assessments of the shortcomings still being experienced” and who suggest there are “contradictions” between the Chinese and Western media portrayal of PLA operational success in training with “a different reality on the ground.” The gap between aspirations and capability is often lost in the report through a stream of descriptions of what PLA writings say the Chinese military could or might want to do to U.S. networks. By contrast, Desmond Ball of Australia National University argues that “China’s cyber-warfare authorities must despair at the breadth and depth of modern digital information and communications systems and technical expertise available to their adversaries.”

Second, and again the authors make this point, Occupying the Information High Ground is not a net assesment. It makes no effort to “detail possible countermeasures and network defense capabilities that the U.S. military and government may employ that could successfully detect or repel the types of operations described.” Or as one senior DoD official told Reuters, “We’re cognizant of those capabilities, of course, and are working on ways to add to the tools we already have to respond to them if necessary.” We should remember that the United States is not standing still—as Deputy Secretary of Defense Ashton Carter said at the RSA conference last week, “No moment in all those [budget] deliberations was it even considered to make cuts in our cyber expenditures. . . ships, planes, ground forces, lots of other things on the cutting room floor; not cyber.”

Third, as most of the writings cited in the report demonstrate, we know a lot more about Chinese thinking at the tactical level and much less about how the central leadership understands the political or strategic implications of a cyberattack on U.S. interests, especially one on critical infrastructure. The report notes that “the decision to move beyond strictly military targets for network attack operations would likely be made at the highest levels of China’s military and political leadership because of the recognized dangers of escalation that such a move presents.” How certain can leaders on either side of the Pacific be that it is possible to limit network attacks to “strictly military targets”? If the strategic is always a possibility in the tactical, then we need better insight into what central leaders in Zhongnanhai understand about and expect from cyber operations.

To the extent that the PLA and civilian intelligence organizations have been carrying out long term CNE [computer network exploitation] against U.S. networks without retribution or hard evidence of public attribution, Chinese leadership may be emboldened toward greater risk-taking for preemptive network-based attacks or penetrations, potentially increasing the dangers of miscalculation and unintended second and third order effects that lead the United States to escalate the crisis or respond in ways that PLA leaders may not have anticipated.

As I argue in my recent Foreign Affairs article, Chinese Computer Games, raising the costs and calling the perpetrators out is part of a strategy that will include bilateral and multilateral discussions on rules of the road for cyber, capacity-building, deterrence through denial, and possibly trade or other sanctions. Even using all these policy tools, it is going to take a long time; Chinese-based cyberattacks will not disappear anytime soon.

Very thoughtful article. I sadly wonder how many people in positions of responsibility regarding this subject actually understand even what is being said here.

This is one of the most delicate topics in the world today. China feels threatened by the USA capabilities in cyberwarfare and since they know they can’t dream to win in an all out war there, they are using the ancestral technique of death by a thousand cuts and continuously bleeding the USA:

1) by exfiltrating sensitive data, technical, marketing, financial, commercial, military if they can in a continuous manner

2) by draining the financial resources from the US military as recently happened during the budget ceiling discussion

Until next time,

Engineer

Post a Comment

CFR seeks to foster civil and informed discussion of foreign policy issues. Opinions expressed on CFR blogs are solely those of the author or commenter, not of CFR, which takes no institutional positions. All comments must abide by CFR's guidelines and will be moderated prior to posting.

About This Blog

Asia Unbound examines political, economic, and social developments in Asia and the region’s growing importance in global affairs. Named one of the top fifty blogs following Asian business by Bschool.com.

New Independent Task Force Reports

India now matters to U.S. interests in virtually every dimension. This Independent Task Force report assesses the current situation in India and the U.S.-India relationship, and suggests a new model for partnership with a rising India.

Rates of heart disease, cancer, diabetes, and other noncommunicable diseases (NCDs) in low- and middle-income countries are increasing faster than in wealthier countries. The report outlines a plan for collective action on this growing epidemic.

The authors argue that the United States has responded inadequately to the rise of Chinese power and recommend placing less strategic emphasis on the goal of integrating China into the international system and more on balancing China's rise.

Campbell evaluates the implications of the Boko Haram insurgency and recommends that the United States support Nigerian efforts to address the drivers of Boko Haram, such as poverty and corruption, and to foster stronger ties with Nigerian civil society.